In a series of posts in their blog, the TSA has expanded on its claimed authority for the changes to “ID verification procedures” announced in a press release last month.

Lawmaking by press release exemplifies the evils of “secret law” which the Supreme Court declined to consider in Gilmore v. Gonzalez. The TSA now says that, “Our position is that Gilmore v. Gonzalez affirmed our ability to require ID for transportation via air and the law that formed TSA, the Aviation and Transportation Security Act (ATSA) empowers the TSA to make these decisions.”

In fact:

The 9th Circuit Court of Appeals in Gilmore v. Gonzalez reached its decision without addressing whether it would have been permissible for the airline or the TSA (or anyone else) to require Mr. Gilmore to show evidence of his identity, or to prevent him from travelling if he failed to do so. The court found that, as of that time and in that particular case, Mr. Gilmore could have flown without showing ID.

The section of the statute cited by the TSA in its press release and blog grants the TSA authority to issue certain regulations. But such regulations must be issued in a particular way, published in the Federal Register for comment, etc. Whatever they have done in secret, the TSA has not, in fact, issued any actual “regulations” requiring would-be passengers to display evidence of their identity, or to answer questions related to their identity.

If the TSA were to promulgate such regulations, they would exceed the authority granted by the statute cited by the TSA, which defines TSA authority to limit access to “sterile” areas in airports as limited to screening for weapons, explosives, and incendiaries — not absent or unsatisfactory evidence of identity.

Finally, any statute purporting to grant the TSA such authority — were one to be enacted, which it hasn’t been — would have to pass muster under both Constitutional and international human rights treaty standards.

So the question isn’t what authority the TSA has to issue regulations for screening, but what authority they have to compel answers to questions, to compel production of documentary evidence, or to prevent or delay people from travelling, in the absence of regulations or statutory authority for such actions.

But that’s not all. The TSA’s new “procedures” may violate several other laws:

Pursuant to the Regulatory Flexibility Act, an agency may not conduct, and a person is not required to respond to, a collection of information unless the collection of information displays a valid control number assigned by the Office of Management and Budget following publication of the proposal for the information collection in the Federal Register, and an opportunity for public comment. We haven’t seen any OMB control number on any TSA signs requesting the collection of either ticket or identity document information, and we can find no record of any Federal Register notice of a TSA proposal to collect either sort of information from travellers. If the TSA asks you to complete any sort of ticket or identity verification form, look for the OMB control number. If there is one, let us know what it is. (We’d love to see a copy of the actual form as well.) If there’s no OMB control number, politely remind the TSA that they aren’t allowed to collect this information, and you aren’t required to provide it.

Under the Privacy Act, it is a crime for a Federal employee to operate a system of records without providing notice — both in a System of Records Notice in the Federal Register, and when requesting information from individuals — of the authority for the system and the ways the information will be used. We haven’t seen any Privacy Act notices being provided to travellers when they are asked to show their tickets and identity documents, and we can’t find any record of a SORN in the Federal Register for any system of records of tickets or passenger ID for domestic flights within the US. If this information is to be recorded, ask to see a Privacy Act notice for what system it will be stored in and how it will be used. (if you can get one, please send us a copy of this notice.) And remind the TSA politely that anyone who is storing it without such a published notice is committing a Federal crime.

The TSA has admitted in their blog that they are using “public source” information about would-be travellers to determine whether to allow them to fly. But under Section 513 of the Consolidated Appropriations Act, 2007 (P.L. 110-161, H.R. 2764), “(d) … (a), no information gathered from passengers, foreign or domestic air carriers, or reservation systems may be used to screen aviation passengers, or delay or deny boarding to such passengers, except in instances where passenger names are matched to a Government watch list.” It’s unclear if the new TSA identity verification procedures are limited to passengers whose names match those on watch lists, but it seems unlikely. So if you are stopped or delayed by the TSA, on the basis of the information you have provided (including on the basis of that infomation being nonexistent because you decline to provide it, as any attorney would probably advise you to decline to do), remind the TSA that they are forbidden by law from taking any such action without an actual match of your name with a watch list.

Perhaps most importantly, Section 513 of the Consolidated Appropriations Act, 2007 (P.L. 110-161, H.R. 2764), also provides that, “(f) None of the funds provided in this or any other Act may be used for data or a database that is obtained from or remains under the control of a non-Federal entity”. It’s unclear what exactly the TSA means by “public source” identity verification data, but if that data comes from a commercial source — as it likely does — and if the TSA has paid for it — as they likely have — they are breaking the law. (For what it’s worth, this is a slightly different sub-section of the latest version of the same law the TSA violated, and continues to violate, by operating their Automated Targeting System for international travel.)

We look forward to the TSA’s response to our FOIA request for more information about what the TSA is up to with this illegal scheme.

7 Responses to “TSA “identity verification” procedures”

[...] form and be “cooperative”. But the TSA has promulgated no rules requireing ID, has no authority to legislate by press release, and hasn’t complied with even the procedural rules (much less the Constiutional standards) [...]